Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to check and increase the length of the pass through DNS query when inspecting the DNS traffic via the DI?

0

0

Article ID: KB23925 KB Last Updated: 23 May 2012Version: 1.0
Summary:
This article provides information on how to check and increase the length of the pass through DNS query on ScreenOS devices, when inspecting the DNS traffic via the DI.


Symptoms:
  • How to check and increase the length of the pass through DNS query on ScreenOS devices, when inspecting the DNS traffic via the DI?

  • What is the minimum, maximum and default length of the pass through DNS query on ScreenOS devices?
Cause:

Solution:
To check the length of  the pass through DNS query, the DI feature can use the following command:
get di service dns udp_message_limit
The output of this command will also provide the minimum, maximum and default length of the pass through DNS query:
get di service dns udp_message_limit

Name Min Max Default Current

udp_message_limit 512 4096 512 512

From the above outpute, you can see that the current value is 512 bytes. To change the length of the DNS query, use the following command:
set di service DNS udp_message_limit <Length [512,4096]>

With the default value of 512 bytes for the DNS query message, when the DI is set in the policy and if a pass through DNS query message size of more than 512 bytes passes through the firewall, the DI will inspect such packets and drop it; due to the size limitation for the DNS query.

In this scenario, if the DNS query is genuine and the Admin needs to allow the DNS query to pass through the firewall, then with the help of the above command, you can increase the minimum and maximum size of the DNS query message; which enables it to pass through the firewall with DI enabled.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search